Use of kerberos in python samdb script

William Brown william.e.brown at adelaide.edu.au
Sat May 11 18:13:30 MDT 2013 

Hi,

I am attempting to write a python script using the samba.samdb SamDB module. I 
am attempting to authenticate via kerberos with this.

My script is:

#WARNING - This requires you to erase samba-python and samba-dc on fedora!!!!
import sys
sys.path.append('/opt/samba4/lib64/python2.7/site-packages')

from samba.samdb import SamDB
from samba import ldb
from samba.param import LoadParm
from samba.auth import system_session
from samba.credentials import Credentials, AUTO_USE_KERBEROS, 
MUST_USE_KERBEROS

import getpass

lp = LoadParm()
creds = Credentials()
creds.guess(lp)
creds.set_username('william')
creds.set_kerberos_state(AUTO_USE_KERBEROS)
#creds.set_password(getpass.getpass('Samba password #'))

#samdb = SamDB(url='ldap://lillie.example.com', session_info=system_session(), 
credentials=creds, lp=lp)
samdb = SamDB(url='ldap://lillie.ad.example.com', 
session_info=system_session(), credentials=creds, lp=lp)
#l = Ldb(url='ldap://lillie.ad.example.com', session_info=system_session(), 
credentials=creds, lp=lp)

res = samdb.search(base=samdb.domain_dn(), scope=ldb.SCOPE_SUBTREE, 
expression='(cn=William)', attrs=["cn", "uid", "gid"] )


using the creds.set_password function works as expected, and I am able to get 
results from the search.

However, using the set_kerberos_state does not work. I am greeted by:


Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <SASL:[GSS-SPNEGO]: 
NT_STATUS_LOGON_FAILURE> <>
Failed to connect to 'ldap://lillie.ad.example.com' with backend 'ldap': 
(null)
Traceback (most recent call last):
  File "ldbexample.py", line 21, in <module>
    samdb = SamDB(url='ldap://lillie.ad.example.com', 
session_info=system_session(), credentials=creds, lp=lp)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line 
56, in __init__
    options=options)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/__init__.py", 
line 114, in __init__
    self.connect(url, flags, options)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/samdb.py", line 
71, in connect
    options=options)
_ldb.LdbError: (1, None)


I can correctly verify I have a krb5 ticket that is valid:

Ticket cache: DIR::/run/user/2000/krb5cc/tkt8FKOCB
Default principal: william at AD.EXAMPLE.COM

Valid starting     Expires            Service principal
05/12/13 08:48:19  05/12/13 18:48:19  krbtgt/AD.EXAMPLE.COM at AD.EXAMPLE.COM
        renew until 05/13/13 08:48:19

Using this ticket I can correctly query the domain with ldapsearch. Thus, the 
ticket and environment definitely work with krb5. 

ldapsearch -Y GSSAPI


Any ideas on what is going wrong here?


-- 
Sincerely,

William Brown

Research & Teaching, Technology Services
The University of Adelaide, AUSTRALIA 5005

CRICOS Provider Number 00123M
-----------------------------------------------------------------------------
IMPORTANT: This message may contain confidential or legally privileged
information. If you think it was sent to you by mistake, please delete
all
copies and advise the sender. For the purposes of the SPAM Act 2003,
this
email is authorised by The University of Adelaide.

pgp.mit.edu
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 876 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130512/5cf32e97/attachment.pgp>

More information about the samba-technical mailing list